The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The core functionality relies on node cli.js add-server <command>, which allows for the registration and execution of arbitrary system commands as child processes. This capability can be abused if an attacker gains access to the configuration interface.
[CREDENTIALS_UNSAFE] (HIGH): The documentation confirms that secrets provided via the set-env command are stored in plain text within config.json. This violates security best practices and exposes high-value tokens (e.g., GITHUB_TOKEN) to any user or process with read access to the skill's directory.
[EXTERNAL_DOWNLOADS] (LOW): The skill promotes the use of npx to fetch and run remote packages (e.g., @anthropic/mcp-github). While the specific example is from a trusted source, the pattern encourages running unverified remote code.
[REMOTE_CODE_EXECUTION] (HIGH): The HTTP bridge translates external REST requests into tool calls executed by local child processes. This creates a significant Indirect Prompt Injection surface where untrusted data from an agent's context can influence command-line arguments passed to MCP servers.
[Persistence Mechanisms] (MEDIUM): Usage of pm2 start and pm2 startup is documented to ensure the bridge and its child processes persist across reboots, which is a common technique for maintaining unauthorized access if the skill is used maliciously.

cherry-mcp